We are seeing hundreds of connection attempts per minute to one of our domains APS2000.com, this has been going on for quite a while. I would like to know if there is anything I can do to stop these connections. I have a log file that I have zipped up but it is 33.5 MB. How do you want me to send it to you?

I've sent you a PM with the details on how to send us the file via FTP. As an FYI, SpamFilter has the following setting (which is enabled by default) that greatly helps preventing issues from such attacks:

Enable Cached IP Blocking - If an IP address sends more than a certain number of spam emails (3 by default) during a certain time interval (10 minutes by default), then it can be temporarily banned (blacklisted). All further connections from that IP address will be immediately rejected without allowing the sender to transmit any data. This should greatly reduce the load on the server. A banned IP address will be automatically removed from this temporary blacklist after a defined time interval (60 minutes by default). To prevent specific IPs to be added to this list, they can be added to DoNotAddIPToHoneypot SpamFilter.ini option.

Thanks for the reply. I have uploaded the file named ITIComputers20101102.zip to the FTP account you sent me. I will look at that configuration option you mentioned and see if that does anything to stop this attack in the meantime.

We received your log, and it was rather "unusual". Let me summarize what we see.

During the day your SpamFilter received 232,954 connections. Of these, there was a whopping (high/huge) number of 102,926 individual/unique IPs that attempted connections to SpamFilter. So each IP on average made just over 2 connections. This pretty much eliminates any single IP from sending large quantities of spam toward your network.

In addition, a very large number of connection attempts (91,830) was stopped in its tracks by the greylist filter, which prevented those connections from even attempting to send an email.

Over 83% of the emails in the logs were indeed sent to the aps2000.com domain, but depending on the domain's history and number of users when compared against the other domains you host, that could be normal.

We do see however that you have configured SpamFilter to tag spam instead of blocking it. Tagging spam emails as such and delivering them forces SpamFilter to accept the emails from the senders. If the email is accepted, the sender believes that the email is going to be delivered. So for all the spam emails you receive, to the senders (keep in mind these are mostly automated emails), when the spammers go back and analyze the statistics of their spam campaign, they will all result as in "good" spam emails, meaning they were all delivered. This will likely cause them to give a high reliability to the addresses they are spamming, causing the spam to increase. If you had configured SpamFilter to block such emails instead of tagging them and delivering them, hundreds of thousands of spam emails addressed to that domain would be blocked each week, making it a bit less likely that spam will be delivered to them in the future.

Do note however that if you start to stop such emails now, the change I described above would be very, very, very slow, as it will take months/years for the email databases spammers acquire to be updated.

The APS domain has about 31 users, and they are not very active. So there is no way that there should be 83% of the total emails going to them. My guess would be less than 10% legit email usage.

From what you are saying, it seems like there are hundreds of possibly virus infected computers that are sending one or two emails per day. So there is no way to really stop those attacks until the owners fix the problems.

Unfortunately, we have to Tag and Deliver the spam to most of our clients because they see 1 to 10 per month in the spam folders that are legit emails coming from NEW clients that they have no way to know beforehand that those emails are coming.

I appreciate your help with this matter. If you can think of anything else, please let me know.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot delete your posts in this forumYou cannot edit your posts in this forumYou cannot create polls in this forumYou cannot vote in polls in this forum